Blockchain technology is on a collision course with EU privacy law

Those who have heard of "blockchain" technology generally know it as the underpinning of the Bitcoin virtual currency, but there are myriad organizations planning different kinds of applications for it: executing contracts, modernizing land registries, even providing new systems for identity management.

There's one huge problem on the horizon, though: European privacy law.

The bloc's General Data Protection law, which will come into effect in a few months' time, says people must be able to demand that their personal data is rectified or deleted under many circumstances. A blockchain is essentially a growing, shared record of past activity that's distributed across many computers, and the whole point is that this chain of transactions (or other fragments of information) is in practice unchangeable – this is what ensures the reliability of the information stored in the blockchain.

For blockchain projects that involve the storage of personal data, these two facts do not mix well. And with sanctions for flouting the GDPR including fines of up to €20 million or 4 percent of global revenues, many businesses may find the ultra-buzzy blockchain trend a lot less palatable than they first thought.

"[The GDPR] is agnostic about which specific technology is used for the processing, but it introduces a mandatory obligation for data controllers to apply the principle of 'data protection by design'," said Jan Philipp Albrecht, the member of the European Parliament who shepherded the GDPR through the legislative process. "This means for example that the data subject's rights can be easily exercised, including the right to deletion of data when it is no longer needed.

"This is where blockchain applications will run into problems and will probably not be GDPR compliant." — Jan Philipp Albrecht, MEP

"This is where blockchain applications will run into problems and will probably not be GDPR compliant."

Altering data "just doesn't work on a blockchain," said John Mathews, the chief finance officer for Bitnation a project that aims to provide blockchain-based identity and governance services, as well as document storage. "Blockchains are by their nature immutable. The GDPR says you must be able to remove some data, so those two things don't square off."

There are two main types of blockchain: private or "permissioned" blockchains that are under the control of a limited group (such as the Ripple blockchain that's designed to ease payments between financial services providers); and public or "permissionless" blockchains that aren't really under anyone's control (such as the Bitcoin or Ethereum networks).

It is technically possible to rewrite the data held on a blockchain, but only if most nodes on the network agree to create a new "fork" (version) of the blockchain that includes the changes — and to then continue using that version rather than the original. That's relatively easy on a private blockchain, if not ideal, but on a public blockchain it's a seismic and exceedingly rare event. At least as the technology is currently designed, there is little to no scope for fixing or removing bits of information here and there on an ongoing basis.

"From a blockchain point of view, the GDPR is already out of date," Mathews said. "Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user's data, which is the opposite of what a permissionless blockchain does."

Jutta Steiner is the founder of Parity.io, a startup that develops decentralized technologies, and the former security chief for the Ethereum Foundation. She agrees with Mathews that "the GDPR needs a proper review."

"From a practitioner's perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works," Steiner said. "The way [public decentralized network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it's out, it's out."

"Given the stage where the technology is at, I think there's time to hopefully adjust certain things in the GDPR," Steiner added. "I can't see the regulators being so stubborn as to not adjust the regulation. … They'll just see the other countries will use the technology and Europe is at a disadvantage."

"I can't see the regulators being so stubborn as to not adjust the regulation. … They'll just see the other countries will use the technology and Europe is at a disadvantage." — Jutta Steiner, Parity.io

That seems unlikely to happen anytime soon. The GDPR is a new regulation, and EU laws tend to last for a long time before revision — the Data Protection Directive that preceded the GDPR was drafted way back in 1995.

"Certain technologies will not be compatible with the GDPR if they don't provide for [the exercising of data subjects' rights] based on their architectural design," Albrecht insisted. "This does not mean that blockchain technology in general has to adapt to the GDPR, it just means that it probably cannot be used for the processing of personal data. This decision is the responsibility of every organization that processes personal data."

Although the clash between the GDPR and blockchain technology has received little attention so far, it has occurred to some people.

The Interplanetary Database was, until its main funder recently pulled support, a project that aimed to build a blockchain-based database system – it was to be a sort of hybrid private-public blockchain, where the nodes in the network were preselected, but anyone could send transactions to the network or read the data stored on it. According to IPDB Foundation co-founder Greg McMullen, the Berlin-headquartered team was well aware of the problems posed by the GDPR.

One problem, McMullen said, was the inability to modify or delete data stored in a blockchain. But there was another issue, too.

"The GDPR is written for a cloud services model where, say, I'm a startup and I collect restaurant order data and I store it all on Amazon Web Services, and they do my hosting for me, so I have to have a contract with Amazon that passes on my privacy obligations to them," McMullen said. "It works really well when there's one or two providers, but when you start having a decentralized network it breaks down entirely. You can't have a contract with [all] the nodes on the Ethereum network. It's unfeasible."

So who actually is liable for data protection in a decentralized network? After all, one of the big attractions of such networks is that they are resistant to censorship, because there's no central body – no Amazon or Facebook – for enforcers to go after, and because the nodes or users that make up the network are scattered around the world.

According to Albrecht, if it's a private blockchain, GDPR compliance is the responsibility of the organization that's deploying it. "For decentralized and public blockchain applications, it would be the responsibility of each user who puts personal data in the distributed ledger to ensure this is GDPR compliant," the parliamentarian said. "Which in most cases it won't [be]."

"It's true that the regulations will need to catch up with the technology, but you have to be realistic about the fact that the GDPR is a real thing and it's happening, and there will be enforcement of it." -Greg McMullen, IPDB

The liability issue will scare many businesses off using blockchains, McMullen warned. "It's true that the regulations will need to catch up with the technology, but you have to be realistic about the fact that the GDPR is a real thing and it's happening, and there will be enforcement of it," he said. "When you're asking companies to use blockchains, they're not going to take that risk with their customers' data – or at least they shouldn't be."

According to McMullen, the IPDB Foundation had been working on various ideas for dealing with the data protection problem. One was a system of "blacklisting" certain data so that, even if it wasn't deleted from the network when this was required, it wouldn't be served when requested.

Another idea was to only put "hashes" of personal data into the blockchain, rather than the data itself. Hashes are mathematical derivations of data that, if properly implemented, cannot be reverse-engineered to expose the data that's being represented – but you can use them to verify the underlying data, by repeating the hashing algorithm on that data and comparing the result with the stored hash. With a blockchain of hashes, rather than the underlying data, it might be possible to delete the data without having to alter the blockchain. That way, the blockchain might manage to be useful for verifying data while remaining GDPR-compliant, McMullen suggested.

Is it likely that regulators would crack down on this emerging sector, though? McMullen, a lawyer, said the first enforcement targets would most likely be "the usual suspects — the Googles, Facebooks, Amazons," but it "could be very easy for a regulator to decide to make a show of going after a blockchain company because it is a very hyped term."

"As companies start understanding [the GDPR's implications], we could see a real move to adjust to the laws by collecting less data and using the data in a way that doesn’t expose it to the public internet, such as with hashes," McMullen said. "In that way, the technology might adjust to the law as well as the law adjusting to the technology. It could in the end be very good for user privacy."

Author

Tags

6 Comments

I think the intersection of blockchain technology and GDPR is less problematic than portrayed here. First, anyone using a blockchain as a database fundamentally misunderstands the technology and more importantly, the economics. Blockchains are more analogous to a log file than database. I find it amusing when projects talk about "storing" data, especially personal data, on a blockchain. It doesn't scale. Secondly, blockchains have a built in updating mechanism, with each new block. You can liken it to a Word document with tracking turned on. If I I need to update information about myself in a Word document (my resume with a new job for instance), I can cross out old information and add additional information. The tracking log shows the changes but the most up to date version of the document shows the current state. So, too, would the current state of the blockchain. Thirdly (and there are other arguments to be made here, but this is the last that I'll make), is that blockchain protocols are not immutable. They can be made to include certain functionality (like pruning old data) or forking to meet specific needs of the blockchain vis-a-vis certain regulatory requirements. The protocol developer and the participants just need to agree to run a compliant version.

comment
Kwee Huay Ching • Feb 28, 2018

Hi since the log file on changes remain in the nodes, I would presume if it has personal I formation earlier already created and housed in the log files, it stay forever.

comment
Jon Sriro • Mar 5, 2018

Very interesting article! I think there are a lot of issues that it raises that need to be addressed. On a very high level: If I am a company that accepts Bitcoin as a payment method, do I have the same or similar data obligations as if I allowed for processing of credit card payments through my website? Also, what obligations do miners have that are storing and memorializing the distributed ledger have under the GDPR and are any of those obligations shared by companies transacting business using Bitcoin? Lastly, can the GDPR be enforced against miners and how would that be accomplished? It just seems to me based upon David's article that if the GDPR is going to be able to enforce any laws that curb or control blockchains utilizing a distributed ledger for transacting payments, it is going to have to focus on the companies using the blockchain and that would probably create numerous legal challenges.

comment
Modi Radha • Mar 16, 2018

The blockchain is the world's largest software platform for digital assets. Offering the largest production blockchain platform in around the world, we are using new technology to build a radically better financial system. but we have to increase our system compatibility first then blockchain will be more beneficial for us. Many peoples don't aware about blockchain and how it's work. for a beginner , they don't know <a href="https://www.flickr.com/people/155490335@N03/" rel="nofollow">Windows 10 Help and Support</a> so have to update first their system then can better use of blockchain.

comment
Catherine Chen • Mar 22, 2018

Just to clarify—the Blockchain just contains a link to the vault. The vault can be emptyed just like any other storage. This way data can be deleted permanently.

comment
Remy Lang • Mar 28, 2018

A better understanding of blockchain and distributed ledger technology by both journalists and politicians is strongly needed. Jason Cronk's comment indicates just a few of the misunderstandings in this article, and there are quite some more.

Related Stories

In a packed room Tuesday here at P.S.R. in San Diego, Calif., privacy pros learned about, and discussed, what is perhaps the most hyped, and least understood, technology in the digital world: blockchain. With an internet-of-things ecosystem exploding across the globe, the mathematics and cryptograph...

Speaking at a U.S. House Committee on Science, Space, and Technology hearing, IBM Fellow Jerry Cuomo advocated for government use of blockchain, Computerworld reports. Cuomo called for the government to take the lead in promoting and deploying blockchain. Cuomo did warn the government about overregu...

A bipartisan bill proposing the use of blockchain technology for governmental data security was introduced in the Colorado Senate last week, StateScoop reports. Sumana Nallapati, Colorado’s secretary of technology and state chief information officer, said, “To be an early adopter of blockchain, our ...

The European Commission outlined several of its efforts to develop a common approach on blockchain technology for the European Union. Among the projects are the EU Blockchain Observatory and Forum, which will map blockchain initiatives in Europe and monitor trends with the technology, and calls for ...

The Canadian government will be assisting in the testing of a new app allowing travelers to digitize information with authorities before flying, Global News reports. The “Known Traveler Digital Identity” system gives individuals the opportunity to store data such as their residency cards, countries ...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.